Add read permissions to publish-crates job (astral-sh#16797)

zanieb · web-flow · commit 8d8aabb88490 · 2025-11-20T16:38:19.000-06:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -233,8 +233,7 @@ jobs:
     secrets: inherit
     # publish jobs get escalated permissions
     permissions:
-      "id-token": "write"
-      "packages": "write"
+      "contents": "read"
 
   # Create a GitHub Release while uploading all files to it
   announce:
diff --git a/dist-workspace.toml b/dist-workspace.toml
@@ -61,7 +61,7 @@ publish-jobs = ["./publish-pypi", "./publish-crates"]
 # Post-announce jobs to run in CI
 post-announce-jobs = ["./publish-docs"]
 # Custom permissions for GitHub Jobs
-github-custom-job-permissions = { "build-docker" = { packages = "write", contents = "read", id-token = "write", attestations = "write" } }
+github-custom-job-permissions = { "build-docker" = { packages = "write", contents = "read", id-token = "write", attestations = "write" }, "publish-crates" = { contents = "read" } }
 # Whether to install an updater program
 install-updater = false
 # Path that installers should place binaries in
